Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]
From: Lewis Watson (lists_at_visionsix.com)
Date: 08/05/03
- Previous message: Tillman: "Kerberos in the handbook"
- Maybe in reply to: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]"
- Next in thread: Jacques A. Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]"
- Reply: Jacques A. Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <security-advisories@freebsd.org> Date: Tue, 5 Aug 2003 11:58:33 -0500
> NOTE WELL: Any statically linked applications that are not part of
> the base system (i.e. from the Ports Collection or other 3rd-party
> sources) must be recompiled.
>
> All affected applications must be restarted for them to use the
> corrected library. Though not required, rebooting may be the easiest
> way to accomplish this.
>
I have upgraded my 4.8 box to 4.8 p1. How do I verify what applications
need to be patched and how do I make sure that the above noted statically
linked applications are patched after I am done?
Thanks a bunch!
Lewis
----- Original Message -----
From: "FreeBSD Security Advisories" <security-advisories@freebsd.org>
To: "FreeBSD Security Advisories" <security-advisories@freebsd.org>
Sent: Tuesday, August 05, 2003 7:02 AM
Subject: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
==========================================================================
===
> FreeBSD-SA-03:08.realpath Security
Advisory
> The FreeBSD
Project
>
> Topic: Single byte buffer overflow in realpath(3)
>
> Category: core
> Module: libc
> Announced: 2003-08-03
> Credits: Janusz Niewiadomski <funkysh@isec.pl>,
> Wojciech Purczynski <cliph@isec.pl>,
> CERT/CC
> Affects: All releases of FreeBSD up to and including 4.8-RELEASE
> and 5.0-RELEASE
> FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
> Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0)
> 2003-08-03 23:43:43 UTC (RELENG_4_8)
> 2003-08-03 23:44:12 UTC (RELENG_4_7)
> 2003-08-03 23:44:36 UTC (RELENG_4_6)
> 2003-08-03 23:44:56 UTC (RELENG_4_5)
> 2003-08-03 23:45:41 UTC (RELENG_4_4)
> 2003-08-03 23:46:03 UTC (RELENG_4_3)
> 2003-08-03 23:47:39 UTC (RELENG_3)
> FreeBSD only: NO
>
> 0. Revision History
>
> v1.0 2003-08-03 Initial release
> v1.1 2003-08-04 Updated information for lukemftpd
>
> I. Background
>
> The realpath(3) function is used to determine the canonical,
> absolute pathname from a given pathname which may contain extra
> ``/'' characters, references to ``/./'' or ``/../'', or references
> to symbolic links. The realpath(3) function is part of the FreeBSD
> Standard C Library.
>
> II. Problem Description
>
> An off-by-one error exists in a portion of realpath(3) that computes
> the length of the resolved pathname. As a result, if the resolved
> path name is exactly 1024 characters long and contains at least
> two directory separators, the buffer passed to realpath(3) will be
> overwritten by a single NUL byte.
>
> III. Impact
>
> Applications using realpath(3) MAY be vulnerable to denial of service
> attacks, remote code execution, and/or privilege escalation. The
> impact on an individual application is highly dependent upon the
> source of the pathname passed to realpath, the position of the output
> buffer on the stack, the architecture on which the application is
> running, and other factors.
>
> Within the FreeBSD base system, several applications use realpath(3).
> Two applications which are negatively impacted are:
>
> (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to
> process the MLST and MLSD commands. The vulnerability may be
> exploitable, leading to code execution with superuser privileges.
>
> lukemftpd(8) was installed (but not enabled) by default in
> 4.7-RELEASE and in 4-STABLE dated Jun 20 21:13:33 2002 UTC through
> Nov 12 17:32:47 2002 UTC. It is not built or installed by default
> in any other release.
>
> If the `-r' option to lukemftpd is used (as suggested by the
> example /etc/inetd.conf supplied in 4.7-RELEASE), then successful
> exploitation leads leads to code execution with the privileges of
> the authenticated user (rather than superuser privileges).
>
> (2) sftp-server(8), part of OpenSSH: realpath(3) is used to process
> chdir commands. This vulnerability may be exploitable, leading
> to code execution with the privileges of the authenticated user.
>
> At the time of 4.8-RELEASE, the FreeBSD Ports Collection contained
> the following applications which appear to use realpath(3). These
> applications have not been audited, and may or may not be vulnerable.
> There may be additional applications in the FreeBSD Ports Collection
> that use realpath(3), particularly statically-linked applications and
> applications added since 4.8-RELEASE.
>
> BitchX-1.0c19_1
> Mowitz-0.2.1_1
> XFree86-clients-4.3.0_1
> abcache-0.14
> aim-1.5.234
> analog-5.24,1
> anjuta-1.0.1_1
> aolserver-3.4.2
> argus-2.0.5
> arm-rtems-gdb-5.2_1
> avr-gdb-5.2.1
> ccache-2.1.1
> cdparanoia-3.9.8_4
> cfengine-1.6.3_4
> cfengine2-2.0.3
> cmake-1.4.7
> comserv-1.4.3
> criticalmass-0.97
> dedit-0.6.2.3_1
> drweb_postfix-4.29.10a
> drweb-4.29.2
> drweb_sendmail-4.29.10a
> edonkey-gui-gtk-0.5.0
> enca-0.10.7
> epic4-1.0.1_2
> evolution-1.2.2_1
> exim-3.36_1
> exim-4.12_5
> exim-ldap-4.12_5
> exim-ldap2-4.12_5
> exim-mysql-4.12_5
> exim-postgresql-4.12_5
> fam-2.6.9_2
> fastdep-0.15
> feh-1.2.4_1
> ferite-0.99.6
> fileutils-4.1_1
> finfo-0.1
> firebird-1.0.2
> firebird-1.0.r2
> frontpage-5.0.2.2623_1
> galeon-1.2.8
> galeon2-1.3.2_1
> gdb-5.3_20030311
> gdb-5.2.1_1
> gdm2-2.4.1.3
> gecc-20021119
> gentoo-0.11.34
> gkrellmvolume-2.1.7
> gltron-0.61
> global-4.5.1
> gnat-3.15p
> gnomelibs-1.4.2_1
> gprolog-1.2.16
> gracula-3.0
> gringotts-1.2.3
> gtranslator-0.43_1
> gvd-1.2.5
> hercules-2.16.5
> hte-0.7.0
> hugs98-200211
> i386-rtems-gdb-5.2_1
> i960-rtems-gdb-5.2_1
> installwatch-0.5.6
> ivtools-1.0.6
> ja-epic4-1.0.1_2
> ja-gnomelibs-1.4.2_1
> ja-msdosfs-20001027
> ja-samba-2.2.7a.j1.1_1
> kdebase-3.1_1
> kdelibs-3.1
> kermit-8.0.206
> ko-BitchX-1.0c16_3
> ko-msdosfs-20001027
> leocad-0.73
> libfpx-1.2.0.4_1
> libgnomeui-2.2.0.1
> libpdel-0.3.4
> librep-0.16.1_1
> linux-beonex-0.8.1
> linux-divxplayer-0.2.0
> linux-edonkey-gui-gtk-0.2.0.a.2002.02.22
> linux-gnomelibs-1.2.8_2
> linux-mozilla-1.2
> linux-netscape-communicator-4.8
> linux-netscape-navigator-4.8
> linux-phoenix-0.3
> linux_base-6.1_4
> linux_base-7.1_2
> lsh-1.5.1
> lukemftpd-1.1_1
> m68k-rtems-gdb-5.2_1
> mips-rtems-gdb-5.2_1
> mod_php4-4.3.1
> moscow_ml-2.00_1
> mozilla-1.0.2_1
> mozilla-1.2.1_1,2
> mozilla-1.2.1_2
> mozilla-1.3b,1
> mozilla-1.3b
> mozilla-embedded-1.0.2_1
> mozilla-embedded-1.2.1_1,2
> mozilla-embedded-1.3b,1
> msyslog-1.08f_1
> netraider-0.0.2
> openag-1.1.1_1
> openssh-portable-3.5p1_1
> openssh-3.5
> p5-PPerl-0.23
> paragui-1.0.2_2
> powerpc-rtems-gdb-5.2_1
> psim-freebsd-5.2.1
> ptypes-1.7.4
> pure-ftpd-1.0.14
> qiv-1.8
> readlink-20010616
> reed-5.4
> rox-1.3.6_1
> rox-session-0.1.18_1
> rpl-1.4.0
> rpm-3.0.6_6
> samba-2.2.8
> samba-3.0a20
> scrollkeeper-0.3.11_8,1
> sh-rtems-gdb-5.2_1
> sharity-light-1.2_1
> siag-3.4.10
> skipstone-0.8.3
> sparc-rtems-gdb-5.2_1
> squeak-2.7
> squeak-3.2
> swarm-2.1.1
> tcl-8.2.3_2
> tcl-8.3.5
> tcl-8.4.1,1
> tcl-thread-8.1.b1
> teTeX-2.0.2_1
> wine-2003.02.19
> wml-2.0.8
> worker-2.7.0
> xbubble-0.2
> xerces-c2-2.1.0_1
> xerces_c-1.7.0
> xnview-1.50
> xscreensaver-gnome-4.08
> xscreensaver-4.08
> xworld-2.0
> yencode-0.46_1
> zh-cle_base-0.9p1
> zh-tcl-8.3.0
> zh-tw-BitchX-1.0c19_3
> zh-ve-1.0
> zh-xemacs-20.4_1
>
> IV. Workaround
>
> There is no generally applicable workaround.
>
> OpenSSH's sftp-server(8) may be disabled by editing
> /etc/ssh/sshd_config and commenting out the following line by
> inserting a `#' as the first character:
>
> Subsystem sftp /usr/libexec/sftp-server
>
> lukemftpd(8) may be replaced by the default ftpd(8).
>
> V. Solution
>
> 1) Upgrade your vulnerable system to 4.8-STABLE
> or to any of the RELENG_5_1 (5.1-RELEASE), RELENG_4_8
> (4.8-RELEASE-p1), or RELENG_4_7 (4.7-RELEASE-p11) security branches
> dated after the respective correction dates.
>
> 2) To patch your present system:
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility. The following patch
> has been tested to apply to all FreeBSD 4.x releases and to FreeBSD
> 5.0-RELEASE.
>
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc
>
> b) Apply the patch.
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your operating system as described in
> <URL:http://www.freebsd.org/doc/handbook/makeworld.html>.
>
> NOTE WELL: Any statically linked applications that are not part of
> the base system (i.e. from the Ports Collection or other 3rd-party
> sources) must be recompiled.
>
> All affected applications must be restarted for them to use the
> corrected library. Though not required, rebooting may be the easiest
> way to accomplish this.
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch
Revision
> Path
> - ----------------------------------------------------------------------
--- > RELENG_3 > src/lib/libc/stdlib/realpath.c 1.6.2.1 > RELENG_4_3 > src/UPDATING 1.73.2.28.2.32 > src/lib/libc/stdlib/realpath.c 1.9.4.1 > src/sys/conf/newvers.sh 1.44.2.14.2.22 > RELENG_4_4 > src/UPDATING 1.73.2.43.2.45 > src/lib/libc/stdlib/realpath.c 1.9.6.1 > src/sys/conf/newvers.sh 1.44.2.17.2.36 > RELENG_4_5 > src/UPDATING 1.73.2.50.2.44 > src/lib/libc/stdlib/realpath.c 1.9.8.1 > src/sys/conf/newvers.sh 1.44.2.20.2.28 > RELENG_4_6 > src/UPDATING 1.73.2.68.2.42 > src/lib/libc/stdlib/realpath.c 1.9.10.1 > src/sys/conf/newvers.sh 1.44.2.23.2.31 > RELENG_4_7 > src/UPDATING 1.73.2.74.2.14 > src/lib/libc/stdlib/realpath.c 1.9.12.1 > src/sys/conf/newvers.sh 1.44.2.26.2.13 > RELENG_4_8 > src/UPDATING 1.73.2.80.2.3 > src/lib/libc/stdlib/realpath.c 1.9.14.1 > src/sys/conf/newvers.sh 1.44.2.29.2.2 > RELENG_5_0 > src/UPDATING 1.229.2.14 > src/lib/libc/stdlib/realpath.c 1.11.2.1 > src/sys/conf/newvers.sh 1.48.2.9 > - ---------------------------------------------------------------------- --- > > VII. References > > <URL:http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt> > <URL:http://www.kb.cert.org/vuls/id/743092> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (FreeBSD) > > iD8DBQE/L5wUFdaIBMps37IRAiY7AJ9k0TOFUzlwC5rHbax4bXa8lluyFACfc82w > xpJrfCeDU4qOs8q33dXSsvw= > =5z4e > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org" > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Tillman: "Kerberos in the handbook"
- Maybe in reply to: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]"
- Next in thread: Jacques A. Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]"
- Reply: Jacques A. Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-03:08.realpath [REVISED]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
